SANS ISC InfoSec Forums

Today one of our Handlers notice an interesting anomaly in the Dshield data. Since late March Dshield has seen a significant increase in the number of sources using port 2967 for scanning. Traditionally there has been some activity on this port, but in late March the number of sources increased approximately six times and the number of targets increased by about 50%. After a few days the sources settled down to about double the traditional value.

Most likely this has something to do with the recent Symantec vulnerabilities, but we here at the ISC would be interested in any insight anybody can shed on this activity. We would be especially interested in packet captures from traffic of this nature.